Brute force iCloud hacking tool posted online

A password-hacking tool has been uploaded to allow attackers to break into any iCloud account.

Named iDict, it has been uploaded to code sharing service GitHub by a user using the handle “Pr0x13”. According to the Hacker News, the tool makes use of an exploit in Apple’s iCloud security infrastructure to bypass restrictions and two-factor authentication security that prevents brute force attacks, and keeps most hackers away from gaining access to users’ iCloud accounts.

The user claims that iDict is a “100 per cent” effective and simple to use method of cracking individual iCloud account login credentials. Presently, the dictionary file only contains 500 common passwords.

Pr0x13 said his intentions were only to alert Apple about the vulnerability, so that the company could fix the problem as soon as possible. The tool, according to the hacker, has been released to force Apple to act on the issue and nothing else.

The company needs to fix the “painfully obvious” vulnerability before it’s “privately used for malicious or nefarious activities, Pr0x13 explains on GitHub.

Jerome Segura, senior security researcher at Malwarebytes, said that the tool is made of a few php files and a large text file containing hundreds of thousands of passwords and works by loading the scripts on to a local web server from where they are able to perform unlimited login attempts using the list of passwords.

“This technique is known as a brute force dictionary attack can only work if the service it is trying to abuse does not detect and block repeated and failed login attempts,” he said.

“Apple, just like many other companies does typically detect this type of abuse and locks down the particular account being probed. The ‘exploit’ is a failure to notice the brute force attack and therefore failure to prevent it.

“This attack also shows the importance of carefully choosing a username (which in the case of iCloud is an email address) and not making it public. Indeed, without this piece of information, an attacker can’t hack into your account without also trying to guess your email address (also through a dictionary attack).”